Flying phishers: cybercriminals targeting frequent flyer miles

We wrote in our predictions for 2011 about cyber attacks that steal everything. In fact cybercriminals are interested in stealing all kinds of data, including the miles you accumulate in frequent flyer programs. Customers of Brazilian airline companies are being targeted by a flood of phishing messages whose goal is to steal customer’s accounts and their miles in the frequent flyer programs maintained by local airlines. The miles stolen from customers are becoming a new kind of currency among Brazilian cybercriminals and phishers, who can use them to issue tickets for themselves, sell tickets to other criminals or use them in barter schemes.

The attacks involve the sending of phishing messages in mass mailings that promise more points in a frequent flyer program or offer a supposed prize. In some attacks the customer is asked to re-register on a fake website:

“Register now and earn more miles in the frequent flyer program”

Brazilian phishers are also registering a lot of malicious domains using names that seem to be related to airline companies, when in fact they are not. Some examples can be viewed safely here, here and here. In some attacks we saw trojans changing the Hosts file to redirect the victim to the phishing site, all of them request the customer’s registration number for the airline’s site and the corresponding password. This data is enough for a cybercriminal to steal the account and all the miles:

In fact, we have already seen several passengers complaining to the local media about their accounts on the websites of airlines being hacked and their miles being used to issue tickets on behalf of unknown persons. One victim claims to have lost around R$ 12,000, the equivalent of US $ 7,600 in accumulated miles. In general it’s not possible to transfer the miles to other person, but the bad guys issue the tickets using the name of money-mules or using a fake ID.

This is not the first time that cybercriminals have targeted frequent flyers. Similar attacks were reported last June in Germany when a new version of the Trojan banker SpyeEye stole air miles from customers of an airline company.

The most interesting aspect of the latest cases is that the stolen miles are being used as a form of currency by cybercriminals. In this message, in an IRC channel, a criminal is selling access to a Brazilian botnet with 3,300 machines that can send “unlimited spam”, and charging around 60 dollars OR 60,000 miles of a specific Brazilian airline company:

This one is asking for a partner to exchange stolen air miles for stolen credit cards:

If you have miles accumulated in an airline company, stay alert and don’t react to any suspicious messages you may receive by email. The anti-phishing module in our products blocks access to these malicious pages.

I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.